I remember after the first few months of one of my jobs discovering that I was out of the loop on information or tools that would’ve helped me do my job better. It’s frustrating for employees when they don’t know what cloud applications they have access to, or should have access to. There are a few ways companies handle—or don’t handle—this frustration.
1) Total Ad Hoc
Total ad hoc perfectly describes the scenario I found myself in. When my supervisor and other co-workers finally told me what I was supposed to have access to, I received the username and password over email—oh wait, that’s not secure? So, then we shared them over chat with the history turned off, or wrote them on sticky notes. A few of us even had digital “sticky notes” on our desktop, so we could easily copy and paste the password on the login screen.
Another ad hoc example, albeit a little more professional-looking, is spreadsheets. One publicly traded company we recently interacted with used an Excel spreadsheet with columns with divisions, URLs, usernames and passwords for their cloud applications.
Riddled with security risks, ad hoc approaches are asking for a data breach. IT’s worst nightmare, right?
2) Portal, Launchpad, Intranet
Another way companies let their employees know about cloud apps is through some type of portal, launchpad or intranet, like Google Apps or SharePoint.
Google Apps already has its own series of apps tied to one username (company email address) and password, and a number of applications allow a user to sign in through Google Apps—providing single sign-on rather than having to create another set of username and password credentials. Also, the administrator can create groups and assign user roles and permissions. However, the users still have to create credentials for other applications and manage those credentials somehow.
Like a launchpad, IT could push out the most common links to employee desktops or start menus through AD group policies. It’s certainly better than nothing, but it doesn’t scale well.
3) Password Manager
A password manager, such as LastPass, is definitely a step up from the above approaches. Employees have a way to safely store their credentials, which now can be strong since they only have to remember 2 passwords (one for their email (in case they need a password recovery for their password manager) and one for the manager). Depending on the plan, some password managers give users the ability to share applications and see which applications are shared with them. Plus, some are capable of prompting for multifactor authentication boosting security.
The downside is that accessing an application through shared credentials breaks compliance, making an audit of who had access when fairly useless.
4) Cloud-based IAM Provider
Ready for the real solution?
A cloud-based identity and access management (IAM) provider, like OneLogin, not only makes it very easy for employees to know which cloud apps they have access to via a unified portal, it also offers the following:
Single sign-on. Employees only have to sign in once and then have one-click access to their applications.
Flexible Mapping Engine. When new employees join, they can be automatically provisioned for all the applications their peers have access to thanks to OneLogin’s unique mapping engine giving you the versatility to streamline access control policies.
Comprehensive security. Many IAM providers make it easy for IT to enforce security policies, as well as shut off access when employees leave the company. Also, a number of apps are authenticated through SAML (a much safer way to access apps than username and password).
Additionally, an IAM vendor offers the ability to unify directories so IT can manage users from one centralized place. The video below explains how the OneLogin Professional Services Team helped unify the directories of one of our clients, a Fortune 500 company in the financial industry.